You may be surprised with restriction of access to the attachments of the forum. The reason is the recent change in vbsupport.org strategy:

- users with reputation < 10 belong to "simple_users" users' group
- if your reputation > 10 then administrator (kerk, Luvilla) can decide to move you into an "improved" group, but only manually

Main idea is to increase motivation of community members to share their ideas and willingness to support to each other. You may write an article for the subject where you are good enough, you may answer questions, you may share vbulletin.com/org content with vbsupport.org users, receiving "thanks" equal your reputation points. We should not only consume, we should produce something.

- you may:
* increase your reputation (doing something useful for another members of community) and being improved
* purchase temporary access to the improved category:
10 $ for 3 months. - this group can download attachments, reputation/posts do not matter.
20 $ for 3 months. - this group can download attachments, reputation/posts do not matter + adds eliminated + Inbox capacity increased + files manager increased permissions.

Please contact kerk or Luvilla regarding payments.

Important!:
- if your reputation will become less then 0, you will be moved into "simple_users" users' group automatically.*
*for temporary groups (pre-paid for 3 months) reputation/posts do not matter.

Hi, this simple tutorial will tech you how to create a table(s) in your vBulletin forum. Step by step you will learn how to use tables, how to edit them and how to adjust them!
Ok, first question: what's a vBulletin table? You must know that vBulletin is mostly composed by tables. A vBulletin table could be this, for example:

With tables you can do what you want! vBulletin is a big main table, remember. I hope you've appreciated this little tutorial. Let me know in this thread if you have more and specific questions.

06-14-2007, 09:28 PM

@Cr00t

Продвинутый

Join Date: Jun 2005

Location: MSK

Posts: 408

Версия vB: 4.2.х

Пол:

Reputation:
Опытный 85

Репутация в разделе: 83

0

How-To Cache Templates by Princeton

This article assumes that you are building your own product with end-user options.

INTRODUCTORY ON CACHING TEMPLATES:
Whenever you create a product you should cache your templates by adding them to the $globaltemplates and $actiontemplates array.

$globaltemplates are templates loaded by all actions.$actiontemplates are templates loaded when a specified action is called such as $do (e.g. ?do=edit).

TEMPLATES NOT CACHED:

Quote:

When displaying an "error message" on the same page I notice that the templates are not cached.

This is due to the fact that the "action" does not have any templates to load (via $actiontemplates).*

To remedy this some coders add the uncached templates to the $globaltemplates array. However, this is the wrong way to do it. As a coder, our obligation is to cache the least amount of templates to consume less memory.

*NOTE: This usually happens when you are redirected back to the page via $_POST.

THE FIX:
To cache these templates, we add the following:

PHP Code:

$actiontemplates['insertsettings'] =& $actiontemplates['options'];

below the $actiontemplates array.

EXAMPLE:
A blog product that I am working on will display an error message to the end-user upon an error. The error message will be on the same page (redirected back via $_POST) not a STANDARD_ERROR page.

The interface is full of options that at the very least requires the end-user to enter a TITLE and DESCRIPTION.

The interface is accessible by the action "do=options".
To cache the required templates to build the interface I add the templates to the $actiontemplates array such as:

Strictly speaking, flash is an integrated development environment (IDE) while Flash Player is a virtual machine used to run, or parse, the Flash files. But in contemporary colloquial terms "Flash" can refer to the authoring environment, the player, or the application files.

Flash technology has become a popular method for adding animation and interactivity to web pages; several software products, systems, and devices are able to create or display Flash. Flash is commonly used to create animation, advertisements, various web-page components, to integrate video into web pages, and more recently, to develop rich Internet applications.

The Flash files, traditionally called "Flash movies" have a .swf file extension and may be an object of a web page, strictly "played" in a standalone Flash Player, or incorporated into a Projector, a self-executing Flash movie with the .exe extension in Windows. Flash Video files have an .FLV file extension and are utilized from within .swf files.

Most Flash imbued sites set up a splash page to notify the user that the site requires the flash plug-in to view properly and provides a link to the current version. Splash pages also advise of resolutions, content warnings and have bypass links.

# Flash for vBulletin

There are several ways to do flash in any HTML or XHTML document including vBulletin.

The standard, object embed method is to add the code below to your template, setting the param's, width, colors, location and movie name to reflect your .swf file needs.

The SWFObject method uses a Java file and is more flexible, it HTML or XHTML validates; It works with all browsers and has version detection. It also fixes the click to activate problem with IE browsers and can be set to display alternative content if the user does not have a flash plug in.

Developed by Deconcept and adopted by Adobe and most web designers, I recommend this method of embedding flash for all primary assets; however I will sometimes mix the two methods depending on the requirements of the page, as is demonstrated in this article.

Example pages, source files and the Java script file needed for SWFObject embedding can be found in the link below.

This short bit of Javascript is what passes in the Flash movie parameters – from the original code, above - so that the FlashObject script can display the Flash movie properly. Here’s the breakdown:

var so = new SWFObject( "movie.swf ", -- the full path to your Flash movie

"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000", -- this matches the “ID” from your Flash movie parameters, yours could be different, an easy way to find this ID is to set the publish settings in flash to output HTML along with the .swf file and then open the HTML in notepad or any editor.

"1000", -- the width of the Flash movie

"274", -- the height of the Flash movie

"8", -- the minimum version of the Flash Player that is required, you can set this to any version you desire, however I recommend setting it one version behind the current stable release.

"#000000"); -- the background color

fo.addVariable("variable", "varvalue"); -- this is only necessary if you are passing in variables to the Flash movie through the HTML code. You can duplicate this line if you are passing in several variables.

Note: If you are running more then one instance of a flash element on a page as I am: header, footer, bot avatar and so on, you want to name each instance of the <div id="NAME"> and the so.write("NAME"); with a different ID. Ergo: <div id="header"> <div id="footer"> with matching so.write("header"); & so.write("footer"); variants.

Note: Change the IF conditional to the user ID you want to display the flash avatar.

06-14-2007, 09:36 PM

@Cr00t

Продвинутый

Join Date: Jun 2005

Location: MSK

Posts: 408

Версия vB: 4.2.х

Пол:

Reputation:
Опытный 85

Репутация в разделе: 83

1

Using the vBulletin Input Cleaner by Alan @ CIT

Note: This article assumes that you are familier with PHP, and will introduce you to input filtering using vBulletin

Using the vBulletin Input Cleaner Class

Introduction

Most scripts will require data from a user at some point. When using this data, you should never assume that it is "clean" data. With XSS (Cross-Site Scripting) and SQL exploits being identified in scripts on a daily basis, you should do everything you can to ensure that all data coming from the user has been cleaned ("sanatized").

vBulletin provides us with the vB_Input_Cleaner class to do just this.
The vBulletin Input Cleaner class is setup when the page loads, and can be accessed as $vbulletin->input,

Data Types

When you accept data from the user, you should know what type of data you are expecting to receive. the vBulletin Input Cleaner allows the following types of data to be cleaned:

TYPE_NOCLEAN

Will not be cleaned

TYPE_BOOL

Will check it is either true or false

TYPE_INT

Will check that it is an integer

TYPE_UINT

Will check that it is an unsigned integer

TYPE_NUM

Will check that it is a number

TYPE_UNUM

Will check that it is an unsigned number

TYPE_UNIXTIME

Will check that it is a unix-style timestamp (unsigned int)

TYPE_STR

Will check that it is a string, and runs trim() on it

TYPE_NOTRIM

Will check that it is a string and will not run trim() on it

TYPE_NOHTML

WIll check that it is a string and run htmlspecialchars_uni() and trim() on it

TYPE_ARRAY

WIll check that it is an array

TYPE_FILE

Will check that it is a file (ie, uploaded by the user)

You can also clean arrays of these types by using TYPE_ARRAY_<type>. For example, if you had an array of numbers, you could use TYPE_ARRAY_INT, or TYPE_ARRAY_NUM.

Cleaning Functions

The input cleaner class provides a number of useful functions that we can use to clean our data, depending on what data you wish to clean.

Cleaning Superglobal Arrays

By Superglobal, I mean $_POST, $_GET, $_REQUEST and so on. These arrays are created automaticly by PHP and contain the user-sent input. They are referenced in the vBulletin Input Cleaner by nice short single letter names. These are:

p - $_POST

g - $_GET

r - $_REQUEST

s - $_SERVER

e - $_ENV

c - $_COOKIE

f - $_FILES

The vBulletin Input Cleaner class provides the clean_array_gpc() function which allows us to clean data in these Superglobal arrays in one hit, without having to clean every individual variable in them.

As you can see from this example, clean_array_gpc() takes 2 paramaters. The first paramater specifies which Superglobal array you wish to clean, and the second is an array of variables and their types.

So, in the example above, we are telling clean_array_gpc() that we wish to clean the $_POST array, and that $_POST contains 3 variables, 'name', 'age', and 'usepm', and that we wish to clean them as TYPE_NOHTML, TYPE_UINT and TYPE_BOOL respectivly.

Once cleaned, the new (clean) variables will be available in the $vbulletin->GPC array. So, to follow on from our previous example, we would use something like:

In this example, the 'age' variable in the $_GET Superglobal array will be cleaned to make sure it is an unsigned integer.

Cleaning a Single Variable

If you wish to clean a single variable that is not in one of the Superglobal arrays, you should use the clean() function.

Example:

PHP Code:

$cleaned_var = $vbulletin->input->clean($dirty_var, TYPE_NOHTML);

From this example you can see that clean() takes 2 paramaters. The first is the variable that you wish to clean and the second is its type. Unlike the last 2 functions, clean() returns the variable directly.

Cleaning an Array of Variables

For times when you wish to clean an array of variables of mixed types, vBulletin provides the clean_array() function. The clean_array() function takes 2 paramaters. The first is the array to be cleaned, and the second is an array of variable names, and their types.

This function works exactly the same as clean_array_gpc(), except instead of specifying which Superglobal array to clean, you specify your own array.

Conclusion

So, to sum up - always run all input from the user through the vBulletin Input Cleaner! As well as being a good coding practice, this will drasticly decrease the chances of someone exploiting your script using an XSS or SQL attack.

Good luck using your new found knowledge of the vBulletin Input Cleaner class, and remember: If you get stuck, just ask! Knowledge sharing is what vBulletin.org is all about!

(Note: If you want to reproduce this article anywhere, I have no objections, but I do request that you give me credit for writing it, and a PM letting me know would be appreciated )

Note: This tutorial assumes that you are familier with PHP and SQL, and will introduce you to the vBulletin way of running SQL commands

Using the vBulletin Database Class

Introduction

Like most large web-based software, vBulletin includes a Database Abstraction Layer. This allows you to read and write to databases without having to use database-specific functions such as mysql_query, or pgsql_query. The database abstraction layer allows you to run SQL without having to worry about what database server is being used as it will all be handled in the background.

This article is a brief introduction to the vBulletin Database class which handles all database abstraction within vBulletin and the add-ons that you create.

Accessing the Database functions

When vBulletin loads any page, the database object is created and stored in the $db variable. This object contains all of the functions that you will use to access the vBulletin database.

Note: You can also access the $db variable as $vbulletin->db, but for readability, I will refer to it as $db for the rest of this article.

Table Prefix

We'll start with the most important part of reading and writing data within vBulletin, the TABLE_PREFIX constant. As you've probably noticed, you can choose a string to prefix all of your database tables within vBulletin. By default, this is "vb_". So your users table would be called "vb_user", your posts table "vb_post" and so on.

It is important that you remember that not everyone will be using the same prefix (if any) as you, so hard-coding "vb_" into your script will not work for a lot of users.

Luckily, vBulletin provides the TABLE_PREFIX constant for us to use. TABLE_PREFIX should be fairly self-explanatory, it contains the table prefix for the vBulletin database tables. For example, if in your config.php, you set the table prefix to be "vb36_", then TABLE_PREFIX would contain "vb36_". TABLE_PREFIX is set automaticly when vBulletin runs so will be available in every vBulletin page.

As you can see in this example, we escape out of our SQL query string to include the TABLE_PREFIX constant. This is vitally important in every query that you run! If you leave it out of a query, your script will likely break for a lot of users.

For ease of reading, I will be leaving the TABLE_PREFIX constant out of my example queries below, but you should not!

Selecting Data

Almost every addon will need to read some data from a database table at some point. vBulletin provides the query_read() function for this purpose.

Example:

PHP Code:

$result = $db->query_read("SELECT column FROM table");

query_read() takes the SQL that you wish to execute as its paramater, and returns a database result set containing the results. This is the equivilent to mysql_query()

Handling the Result Set

As query_read() returns a database result set, rather than an array, we will need a function to read the result set and provide us with an array which we can then use. vBulletin provides a few functions which will do the job, namely:

fetch_field()

fetch_row()

fetch_array()

We will be concentrating on the last function, fetch_array() as that is the one you will find yourself using day-to-day.

Example:

PHP Code:

$array = $db->fetch_array($result);

fetch_array() takes a result set as it's paramater and returns an array with the current row. Because it will only return 1 row at a time, you will need to use it in a while() loop if you are fetching more than 1 row.

Example:

PHP Code:

while ($array = $db->fetch_array($result))
{
// Do something with the current row here
}

As you can see, each time fetch_array() is run within the while() loop, it moves on to the next row in the result set.

Selecting a single row

If you know that you will just be selecting a single row of data from your table (ie, a users details, or a single forum post), then vBulletin provides a handy function called query_first() which will not only run your SQL query, but also return the row as an array for you.

In this example, you can see that query_first() takes your SQL query as it's paramater and returns an array, rather than a result set. The query_first() function is handy when you know that you will only be selecting a single row from the table.

Writing to the Database

At some point, it is likely you will need to save some data to the database, or update an existing table with some changed data. To do this, vBulletin provides the query_write() function.

Example:

PHP Code:

$db->query_write("INSERT INTO table (column) 'value'");

As you can see, query_write() takes the SQL statement as its paramater.

Another useful function when writing to the database is the affected_rows() function. This will tell us how many rows where affected by the last INSERT, UPDATE or REPLACE query.

Example:

PHP Code:

$row_count = $db->affected_rows();

This function takes no paramaters as it only works with the last write query that was performed, and will return the number of rows affected.

Fetching the last Auto-Increment number

If you have ever used PHP's MySQL functions, you'll likely be aware of the mysql_insert_id() function. When you have written a new row to a table that contains an Auto Increment field, mysql_insert_id() will return the Auto-Increment number for the new row.

Thankfully, vBulletin provides us with the insert_id() function which does the same job.

Example:

PHP Code:

$id = $db->insert_id();

This function takes no paramaters and will return the most recent Auto-Increment field.

Handling Errors

vBulletin provides 2 functions that allow us to see if any errors have occured when we run our SQL. These are error() and errno().

$db->error() will return the Error Text for the most recent database operation.
$db->errno() will return the Error Number for the most recent database operation.

By default, if an SQL error occurs, vBulletin will display an error page with details of the SQL error on it. You can prevent this by using the hide_errors() function. When using this, be sure to perform your own manual error checking.

You can show the error page again by using the show_errors() function.

Freeing up Memory

vBulletin will destroy all of your result sets once the page has loaded. However, if you are running queries that are returning a lot of rows, you should unset the result set yourself once you are finished with it to free up memory.

vBulletin provides the free_result() function for this purpose.

Example:

PHP Code:

$db->free_result($huge_result_set);

free_result() takes the result set as it's paramater

Cleaning User Input

Most of us need to to run some form of SQL query that includes data submitted by the user. When using this data, you should never assume that it matches the data you have told the user to provide, as not all users are as honest as us

Thankfully, vBulletin provides us with some functions that will clean input for us. escape_string() and escape_string_like() being 2 of them.

escape_string() does exactly what it says on the tin. It will escape (usually using backslashes, although some Database Servers use a different method) any string value that you parse it.

Important! You should never use addslashes() in your SQL queries. addslashes() was not designed to escape SQL strings, and doesn't do a particularly good job at doing it. Always use escape_string() or escape_string_like() to make strings safer

Conclusion

To sum up, vBulletin provides you with functions to perform all common SQL tasks, without you having to worry about which database system is being used.

You should always use the vBulletin provided functions rather than database specific functions, as not everyone will be using the same database server as you. What's that you say? Only you will be using the script and you use MySQL? ok, but what happens 2 years down the line when you decide to switch to MySQLi, or PostgreSQL? Do you really want to have to go through your script replacing all the functions?

Good luck using your new found knowledge of the vBulletin Database Abstraction Layer, and remember: If you get stuck, just ask! Knowledge sharing is what vBulletin.org is all about!

(Note: If you want to reproduce this article anywhere, I have no objections, but I do request that you give me credit for writing it, and a PM letting me know would be appreciated )

Sets users to sysop status in MediaWiki if they are part of a specified admin usergroup

Removes users from sysop status in MediaWiki if they no longer are a part of a specified admin usergroup

For same-database setups, allows easy installation

Possible Future Features:
These are possible features for inclusion in the how-to in the future. They have not been investigated for their feasibility, but are here to let you know they have been requested and I am thinking about them. If you know how to add the features, please let us know.

No-login required (automatic) integration

Option: User profile field points to, or has option to link to vBulletin profile

To register, link the user to vBulletin's registration script on the login pages

How to:

Install Reynaldovb's Restrict usernames to alphanumeric and underscore plugin, and disallow both spaces and underscores

Optional: On boards that already have existing users, somehow have their usernames changed so that they are only alphanumeric. This is required if you wish your users to be able to login and edit the wiki using their vBulletin username. The reason you have to do this is because MediaWiki has some Restrictions on what can go in a page title, and as usernames have to be passed as page titles, they also have to adhere to the same restrictions. If you do not change the usernames, I have included a check to not allow users to login if their username contains non-alphanumeric characters.

If you are running vBulletin and MediaWiki in the same database, then it already uses the connection information.
If you are not running vBulletin and MediaWiki in the same database, please change the strings to reflect your vBulletin database information.
In either case, the last value is whatever your vBulletin table prefix is.

Insert this code below the require_once( "includes/DefaultSettings.php" ); at the top of the LocalSettings.php file:

This prevents people from registering new accounts on the wiki, requiring people to register on vBulletin. It also prevents anonymous edits. This code may only work on MediaWiki 1.5.x and above, but I am unsure.

Download the AuthPlugin_vBulletin.php file and put it in your main wiki directory, ie: /wiki/AuthPlugin_vBulletin.php

Please let me know if this was helpful, or if you can expand on this code.

This How-To should serve as a reference to coders, who have a basic knowledge of PHP and who want to make their own mods.

$vbulletin (Type: Object)

Contains vBulletin data that has been in separate variables in vB 3.0.x.
Below you can find a translation table of changed variables and functions.
This is an expanded version of the list that you can find in vBulletin's source code (functions_legacy.php).
vBulletin 3.0.3 locations are on the left hand side, and the corresponding vBulletin 3.5.0 locations are on the right hand side.
Legacy locations can be enabled by running legacy_enable(), although this is officially not recommended for long term compatibility.

$vbulletin
Inside of object classes, you should access $vbulletin->[...] as $this->registry->[...]. Therefore, use that structure when modifying code inside of any classes.
.

VARIABLES ENABLED FOR TEMPLATES
$vboptions['x'], $bbuserinfo['x'] and $session['x'] do work in the template system without running legacy_enable().
.

SUPERGLOBALS
$_GET/$_POST/$_REQUEST/$_COOKIE/$_FILES/$_SERVER/$_ENV are available anywhere, but generally you should avoid using them. Instead, "clean" those variables and place them into $vbulletin->GPC using $vbulletin->input->clean_gpc() and $vbulletin->input->clean_array_gpc() methods.
You can read more about these two "cleaning" methods here.

As a summary:

Use $vbulletin->input->clean_gpc() for a single variable, and $vbulletin->input->clean_array_gpc() for arrays.

After variables are patched through, they can be accessed using $vbulltin->GPC (which is an array).

Cleaning 'somevar' will not create variable $somevar.

$vbulletin->input->clean_gpc() returns the clean value, therefore the following code will work out nicely:

Code:

$id = $vbulletin->input->clean_gpc('r', 'id', TYPE_UINT);

Once you get to know the syntax of those functions, you can use the following as a reference:

GLOBALIZING VARIABLES IN FUNCTIONS
Since most of the variables can be found within the $vbulletin class, there is generally no need to globalize more than one variable (which is $vbulletin). An exception would be the $vbphrase array, which currently cannot be found within the $vbulletin class.

DATASTORE ITEMS
In vBulletin 3.0.x you could commonly see the following code:

PHP Code:

if (isset($datastore_item))

Unfortunately, this does not work in vBulletin 3.5.0, since the datastore items are now contained within $vbulletin class.
You need to use the following code instead:

PHP Code:

if ($vbulletin->datastore_item !== null)

BITFIELDS
In case you have been wondering, "ugp" stands for "UserGroup Permissions".
To avoid the confusing "$object->array[key1][key2][key3][key4]...[key10]" stuff, there are references set up that allow you to talk to deep elements quickly. For example, $vbulletin->bf_ugp_adminpermissions is a reference to $vbulletin->bf_ugp['adminpermissions'].
.

BBCODE PARSE
BBCode Parser has changed slightly in vBulletin 3.5.
To familiarize yourself with the new syntax, check out KirbyDE's How-To.
.

MISCELLANEOUS
It is impossible to list here every aspect of vBulletin code, therefore you should familizarize yourself with the contents of init.php and class_core.php before beginning to hack into the system (and I know you are in a rush ).

$db (Type: Object)

As you might have judged from the Table 1 in this tutorial, the database object in vB3.5 is $vbulletin->db.
However, $db is another way to access that object; it is the way that used everywhere unless you call it from within a function. In functions, use $vbulletin->db.
Obviously, the purpose of the database method is to perform various operations on the database. Most common methods are described below.

The first function enables sql error output (default), whereas the second function disables such output.
Useful when you do not want the script to die on error (example: no die on product installation if a table already exists).

Data Managers

Data Managers (DMs) are an interface to various data objects used within vBulletin. They enforce necessary constraints and administrator-set options on the data to ensure that the data is valid.
You can read more about Data Managers in vBulletin's online manual.
Also, you can read specifically about the User DM in this KirbyDE's How-To, and about Thread DM here.

Authentication Storage

The authentication data is stored in the following way (thank to Kirby for this info):

Returns the HTML for multi-page navigation.
Two latest arguments are not used yet, therefore they are not documented.

Code:

$pagenumber int Total number of items found
$perpage string Base address for links eg: showthread.php?t=99{&page=4}
$results string Ending portion of address for links

eval(standard_error(fetch_error('error_phrase')));

Outputs a standard error message with a phrase of your choice.
fetch_error looks up the phrase you specify in the "Front-End Error Messages" phrase category.
Error phrases must be prefixed with "error_".
.

Returns eval()-able code to initiate a standard redirect
$vbulletin->url should contain the target url for the redirect.

Code:

$redir_phrase string Name of redirect phrase
$doquery boolean If true, it will fetch $redir_phrase from "Front-End Redirect Messages" phrase category. Must be prefixed with "redirect_".
If false, it will use the value of $redir_phrase as the phrase itself.
$forceredirect boolean Should generally be set to true.

$forumid int Specific forum to check. If not set, will check whether the user is a moderator of any forum at all.
$do string Specific mod action to check. If not set, will check whether the user is a moderator of the forum specified in $forumid.
$userid int User ID to check. If not set, will use $vbulletin->userinfo.
$usergroupids string List of group IDs, separate by commas, to which the user belongs. Should be generally left blank.

can_administer();

Checks whether or not the visiting user has administrative permissions

This function can optionally take any number of parameters, each of which
should be a particular administrative permission you want to check. For example:
can_administer('canadminsettings', 'canadminstyles', 'canadminlanguages')
If any one of these permissions is met, the function will return true.
If no parameters are specified, the function will simply check that the user is an administrator.
.

convert_bits_to_array(&$bitfield, $_FIELDNAMES);

Converts a bitfield into an array of 1 / 0 values based on the array describing the resulting fields. Returns an array.